Tor onion site
Authors: Philipp Winter, Anne Edmundson, and Laura M. Roberts, Princeton University; Agnieszka Dutkowska-Żuk, Independent; Marshini Chetty and Nick Feamster, Princeton UniversityAbstract: Onion services are anonymous network services that are exposed over the kraken Tor network. In contrast to conventional Internet services, onion services are private, generally not indexed by search engines, and use self-certifying domain names that are long and difficult for humans to read. In this paper, we study how people perceive, understand, and use onion services based on data from 17 semi-structured interviews and an online survey of 517 users. We find that users have an incomplete mental model of onion services, use these services for anonymity, and have vary- ing trust in onion services in general. Users also have difficulty discovering and tracking onion sites and authenticating them. Finally, users want technical improvements to onion services and better information on how to use them. Our findings suggest various improvements for the security and usability of Tor onion services, including ways to automatically detect phishing of onion services, clearer security indicators, and better ways to manage onion domain names that are difficult to remember.Open Access MediaUSENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.View the slidesPresentation Video Presentation Audio
Tor onion site - Кракен сайт официальный зеркало krmp.cc
new Onion v3 hidden service with a vanity address, as seen above. The hidden service that I originally hosted for testing Onion v3 in the alpha builds is: 32zzibxmqi2ybxpqyggwwuwz7a3lbvtzoloti7cxoevyvijexvgsfeid.onion, however this is now offline. You can read my blog post about generating an Onion v3 vanity address using mkp224o here.As of writing this post, you need at least tor-0.3.2.1-alpha (eg: Tor Browser 7.5a5) in order to access the new Onion v3 hidden services.Skip to Section:Tor Onion v3 Hidden Service┣━━ Hidden Service Configuration┣━━ Apache Configuration┣━━ Vanity Addresses┗━━ ConclusionOnion v3 is the new next-generation Tor Onion Services specification. The most noticable change is the increase in address length, however Onion v3 uses better cryptography, ECC (eliptic curve cryptography) rather than RSA, and has an improved hidden service directory protocol.Since this hidden service is running on an alpha build of Tor, I am hosting it on a separate, isolated server. I'm also using a virtual machine for testing the Tor Browser alpha builds, as seen above.Hidden Service ConfigurationIn order to set up an Onion v3 hidden service, you'll have to build Tor from source.Download and verify Tor (standalone) from the Tor downloads page. Below are my verifications for Tor 0.3.2.2 Alpha and Tor Browser 7.5a5 for Linux 64 bit, but always make sure to do your own verifications too:File Name: tor-0.3.2.2-alpha.tar.gzSize: 6 MB (6,257,177 bytes)SHA256: 948f82246370eadf2d52a5d1797fa8966e5238d28de5ec69120407f22d59e774SHA1: ffd6f805fcd7282b8ed3e10343ac705519bdc8f2MD5: 18f95b54ac0ba733bd83c2a2745761a8Link: https://www.torproject.org/dist/tor-0.3.2.2-alpha.tar.gzFile Name: tor-0.3.2.2-alpha.tar.gz.ascSize: 0.8 KB (801 bytes)SHA256: f5a1bb1087814753f1ade3ba16dfaf8cb7a77475cb9b09c91a56bacf42c35d24SHA1: 6fd356bcec3d337bf458c9ad784ab148afcbeb30MD5: a20385bae042b0407737147421e3f426Link: https://www.torproject.org/dist/tor-0.3.2.2-alpha.tar.gz.asc-----BEGIN PGP SIGNATURE-----iQIcBAABAgAGBQJZ0rZPAAoJEGr+5tSekrYBTEUP/1fZxznEkQGwolHbt6+3CRl3fDJF8z/4a17mHj31uggQB5Y9zGZ+rNOAJxFt7tRZe9qpGmQ9+6leHlKKjER37WFn3TiqsipVaCFGM3J8FxCHyk1LbwJi2u9QIflkY5/j0h44DQ+QyI1Z3nTeSeF2gN/OWsyQ9s+xLMfwu8f/VbjVWztKtYNeQuV78pPC9sq+On2VdGo4Lbj4E5jM9RHK9AZ2oQVIBkanDFGNsJSizJX2Oig7OXM7zbxUy0qcjg6cSNXyvsw80GHzPNaws8yf50DsElC6k2OVJW0orY0pGmZ9HXURQ4+gc81E2xoFX13jrOHMEbZQrRI0B05FCFF7+Fb5FLUYNQCSasMiiXayh2uaU3F9cpp9p4cTW9I3Z/BZ75UW+k+ox7S81bE+tpKXW7yUxeHxklYgQhvtt+fKJT7jZW4khD/1sJucjzGCWhdn9PTaRKqhRjd0AiXJYSpg0/bA02SuhiZW+UasTNaQ72aAk6b3+HLc7fsbWYdcEGouxvc8/sADyDoaJd4a6LUNkFzvgfg6q47qgucNgEWqi7St5VChKJ22cU9ydDWJOb0G7iFUNGnFFkPuBGVmDoP+0BXu9NYieLXO8E8SQmN1/hzGCVzR5A3MxLJtfWUppVePNTv2v53BcwOkeTtWxPl7UzNQMOC0zwpmB6vQzFgAMtez=d/lF-----END PGP SIGNATURE-----File Name: tor-browser-linux64-7.5a5_en-US.tar.xzSize: 72 MB (75,076,296 bytes)SHA256: 8cee4cc0f82463da782cf3e7817e0b72507e6b200b5cccd549fe9f7e77d1d90dSHA1: 3e041335e2fa45daeb658ac082eac722322d0a73MD5: 53a696af2bfe7103c7b83d0dd243cd5cLink: https://www.torproject.org/dist/torbrowser/7.5a5/tor-browser-linux64-7.5a5_en-US.tar.xzFile Name: tor-browser-linux64-7.5a5_en-US.tar.xz.ascSize: 0.8 KB (801 bytes)SHA256: f209d9242ca86e6cecebd30611412ffbb8ea489326b74a69244621754a87831cSHA1: 23620d7c03593b94f1303ba642da6d0738755209MD5: 5daf333a90e189a16786d08d3aaf6a19Link: https://www.torproject.org/dist/torbrowser/7.5a5/tor-browser-linux64-7.5a5_en-US.tar.xz.asc-----BEGIN PGP SIGNATURE-----iQIcBAABCgAGBQJZyr7hAAoJENFIP6bDwHE2cPMP/1c5PMjuBRAtipry8v+inadB4S8HpuOFI+vrUoYRo7MadI8KYtrKqtmXK5PWUV7e+bIJW82LBvHZZH7UB52QuX+5v+woiWxf8Y4CzAWqDHicHJ0Ya5sf6aZk7O7RncwhqXJ0hVlk3kG7kfluLwRzGZFzXF4eKZE5HG4BuvB/P9ZYykUqHMzn3r2UW8tjMLhxqyWKF77N+/JQ34Ot9n4WJ2YtPbsj8k0xgF/zwXkD4MJA/PIfRY7x/pGv9ns2lcgKhe3MsJIusn9ckx+Q2mtb6KXvVkjVOKpTZBWuLtezRZv35khji6cTT8oEe2jvAtoib1ZYGyP7y5jwt0l0sRGxVA+li92k3Auu98RIrfJtNeca1pyVWfC0jBZBt9aMClRanwqYOCsc/oFhhNEhbMMiOOGrY/9kr7JUVkme5bt0Qevjt58X3sFjiEG323KbTEgaf5g5GRvnooD+oVkufNNucSBnazON7BrkEWQj1DBGd+Vwu5XpR6ezJlXOfJ67Mh+2f6JTlydZi2F2PAiS1kfkLAqOuib+mHxNogSm6SarDyo1zMWRq4u2Bn0/s5+XmU5uAthWLX11uFdyi9ePy3B9trUZjsMpnTWMoW4MhDiMwGl5RRsYtmVCtcTYgut/Z5bbRe0VUQ+uR1lTSsBkP1sAWedzDWPyb6xyGNMI5kjHOXRI=xzdk-----END PGP SIGNATURE-----Compile Tor with ./configure followed by make. On a fresh Ubuntu Server 16.04 system, you'll need to install gcc, libevent-dev, libssl-dev and make.Once compiled, create the directory and file /usr/local/etc/tor/torrc. This is the default configuration file location for Tor when built from source. Sample torrcs are available within the src/config/ directory of your compiled Tor installation.In order to set up an Onion v3 Hidden Service, add the following to your torrc:HiddenServiceDir /desired/path/to/hidden/service/configHiddenServiceVersion 3HiddenServicePort <localport> <server>The HiddenServiceDir can be any folder on your system that Tor will have write access to, although it should be a private area since the keys will be stored here.<localport> is the local port that the hidden service is "listening" on, and the <server> is the server where requests to that port will be forwarded to.For example, you would normally have:HiddenServicePort 80 127.0.0.1...which will forward requests to port 80 onto a local web server that is bound to 127.0.0.1.However, you can also directly forward requests onto another server across the internet. This is not recommended though, as by default the requests will be forwarded unencrypted, which poses a risk of de-anonymization and man-in-the-middle attacks.Important Note: Forwarding requests to a remote server has a major potential to de-anonymize you if done incorrectly. If your own anonymity is important, it's probably better to run a local web server (eg: forward requests to 127.0.0.1). Please refer to the official Tor documentation for more information.You can theoretically host anything behind a hidden service, including a file server, IRC server, email server, etc.You can now run Tor located in src/or/tor. Successful output is as follows:Oct 19 23:58:25.320 [notice] Tor 0.3.2.2-alpha (git-e2a2704f17415d8a) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.2g, Zlib 1.2.8, Liblzma N/A, and Libzstd N/A.Oct 19 23:58:25.320 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warningOct 19 23:58:25.320 [notice] This version is not a stable Tor release. Expect more bugs than usual.Oct 19 23:58:25.320 [notice] Read configuration file "/usr/local/etc/tor/torrc".Oct 19 23:58:25.326 [notice] Scheduler type KIST has been enabled.Oct 19 23:58:25.326 [notice] Opening Socks listener on 127.0.0.1:9050Oct 19 23:58:25.000 [notice] Bootstrapped 0%: StartingOct 19 23:58:26.000 [notice] Starting with guard context "default"Oct 19 23:58:26.000 [notice] Bootstrapped 80%: Connecting to the Tor networkOct 19 23:58:26.000 [notice] Bootstrapped 85%: Finishing handshake with first hopOct 19 23:58:27.000 [notice] Bootstrapped 90%: Establishing a Tor circuitOct 19 23:58:27.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.Oct 19 23:58:27.000 [notice] Bootstrapped 100%: DoneIf you have errors relating to communication with directory servers, double check the permissions on your hidden service configuration directory. Both the folder and contained files should only be readable and writable by the owner (user that is running Tor):drwx------ 2 tor tor 4096 Oct 20 00:00 .drwxr-xr-x 5 tor tor 4096 Oct 19 22:29 ..-rw------- 1 tor tor 63 Oct 20 00:00 hostname-rw------- 1 tor tor 64 Oct 18 23:29 hs_ed25519_public_key-rw------- 1 tor tor 96 Oct 18 23:29 hs_ed25519_secret_keyIn order to make Tor run at boot, you could set it up as a cronjob or use any other method for starting a program at boot. Don't run Tor as root.The "hostname" file in your hidden service configuration directory contains the hostname for your new Onion v3 hidden service. The other files are your hidden service keys, so it is imperative that these are kept private. If your keys leak, other people can impersonate your hidden service, deeming it compromised, useless and dangerous to visit.Apache ConfigurationConfiguring a local web server for your hidden service is exactly the same as with Onion v2, just make sure that your web server is accessible locally on 127.0.0.1 and everything should work. If your own anonymity is important, make sure that your web server is configured correctly so that it is not going to de-anonymize you.However, in my setup I am using a remote web server as the forwarding destination for the hidden service. To clarify, my Onion v3 hidden service is running on a separate server to the main JamieWeb server, and the hidden service is forwarding requests across the internet to the main server. This involves a small risk of man-in-the-middle attack since the requests are forwarded unencrypted by default, however for this temporary test environment, it should be fine as the risk is minimal (MitM against internet backbone traffic is much more difficult than with standard user endpoints).Important Note: Please read my note above as there is potentially a major risk of de-anonymization when forwarding requests to a remote server.Since I have IP address catch-all virtual hosts set up, the request is blocked by default:403 Forbidden - Direct request to IPv4 address (220.127.116.11) blocked. Please use https://www.jamieweb.net instead.In order to get around this, you can simply create a virtual host with the ServerName value set to the Onion address. In my configuration, I have the following (irrelevant lines removed):<VirtualHost 18.104.22.168:80> ServerName jamie3vkiwibfiwucd6vxijskbhpjdyajmzeor4mc4i7yopvpo4p7cyd.onion</VirtualHost>The request will no longer be blocked, allowing the hidden service to work as normal.Vanity AddressesEdit 7th Jan 2017 @ 12:01am: I have now written an entire blog post about Onion v3 vanity address generation, which you can read here.As with my Onion v2 hidden service, I am very interested in generating a vanity address to use for my site. As of writing this, there are several tools already available for Onion v3 vanity address generation. However, as I did with the Onion v2 address, I am also looking into writing a basic script to perform the cryptography outside of Tor in order to generate addresses automatically. This isn't designed to be a highly efficient program to generate millions of addresses per second, just a basic script that is able to do it faster than a human.The script that I wrote for automatically generating Onion v2 addresses was quite inefficient, but was still able to generate ~5 addresses per second. While something like this isn't going to be able to generate a long vanity address in any reasonable timeframe, it's enough to get a few characters and understand the how the cryptography behind it is working.With Onion v2 and an efficient CPU/GPU vanity address generation program, an 8 character vanity address is realistically achievable with an average home computer running for around a month. Onion v3 addresses are still Base32, but are 56 characters rather than 16, so the search space is significantly larger. I am going to set my Raspberry Pi cluster to work generating an Onion v3 vanity address straight away!I am also interested to see what Facebook are going to do with their Onion v2 hidden service. They are one of the few organisations to have an Extended Validation (EV) SSL certificate for their hidden service, so I wonder if DigiCert will issue a new one to them when/if Facebook upgrades to Onion v3?ConclusionI will be continuing to test the Tor alpha builds with Onion v3. Once they are in a stable release, I'll move it back over to the main JamieWeb server where it can be hosted alongside the existing Onion v2 hidden service (it is possible to host multiple hidden services with a single Tor instance).Overall I really like Onion v3, it is a well-needed update to the cryptography behind Tor, and hopefully people will adopt it as soon as possible.
By Philipp Winter, Annie Edmundson, Laura Roberts, Agnieskza Dutkowska-Żuk, Marshini Chetty, and Nick FeamsterWant to find US military drone data leaks online? Frolick in a fraudster’s paradise for people’s personal information? Or crawl through the criminal underbelly of the Internet? These are the images that come to most when they think of the dark web and a quick google search for “dark web” will yield many stories like these. Yet, far less is said about how the dark web can actually enhance user privacy or overcome censorship by enabling anonymous browsing through Tor. Recently, for example, Brave, dedicated to protecting user privacy, integrated Tor support to help users surf the web anonymously from a regular browser. This raises questions such as: is the dark web for illicit content and dealings only? Can it really be useful for day-to-day web privacy protection? And how easy is it to use anonymous browsing and dark web or “onion” sites in the first place?To answer some of these pressing questions, we studied how Tor users use onion services. Our work will be presented at the upcoming USENIX Security conference in Baltimore next month and you can read the full paper here or the TLDR version here.What are onion services?: Onion services were created by the Tor project in 2004. They not only offer privacy protection for individuals browsing the web but also allow web servers, and thus websites themselves, to be anonymous. This means that any “onion site” or dark web site cannot be physically traced to identify those running the site or where the site is hosted. Onion services differ from conventional web services in four ways. First, they can only be accessed over the Tor network. Second, onion domains, (akin to URLs for the regular web), are hashes over their public key and consist of a string of letters and numbers, which make them long, complicated, and difficult to remember. These domains sometimes contain prefixes that are human-readable but they are expensive to generate (e.g. torprojectqyqhjn.onion). We refer to these as vanity domains. Third, the network path between the client and the onion service is typically longer, meaning slower performance owing to longer latencies. Finally, onion services are private by default, meaning that to find and use an onion site, a user has to know the onion domain, presumably by finding this information organically, rather than with a search engine.What did we do to investigate how Tor users make use of onion services?: We conducted a large scale survey of 517 Tor users and interviewed 17 Tor users in depth to determine how users perceive, use, and manage onion services and what challenges they face in using these services. We asked our participants about how they used Tor’s onion services and how they managed onion domains. In addition, we asked users about their expectations of privacy and their privacy and security concerns when using onion services. To compliment our qualitative data, we analyzed “leaked” DNS lookups to onion domains, as seen from a DNS root server. This data gave us insights into actual usage patterns to corroborate some of the findings from the interviews and surveys. Our final sample of participants were young, highly educated, and comprised of journalists, whistleblowers, everyday users wanting to protect their privacy to those doing competitive research on others and wanting to avoid being “outed”. Other participants included activists and those who wanted to avoid government detection for fear of persecution or worse.What were the main findings? First, unsurprisingly, onion services were mostly used for anonymity and security reasons. For instance, 71% of survey respondents reported using onion services to protect their identity online. Almost two thirds of the survey respondents reported using onion services for non-browsing activities such as TorChat, a secure messaging app built on top of onion services. 45% of survey participants had other reasons for using Tor such as to help educate users about the dark web or for their personal blogs. Only 27% of survey respondents reported using onion services to explore the dark web and its content “out of curiosity”.Second, users had a difficult time finding, tracking, and saving onion links. Finding links: Almost half of our survey respondents discovered onion links through social media such as Twitter or Reddit or by randomly encountering links while browsing the regular web. Fewer survey respondents discovered links through friends and family. Challenges users mentioned for finding onion services included:Onion sites frequently change addresses and so often onion domain aggregators have broken and out of date links.Unlike traditional URLS, onion links give no indication of the content of the website so it is difficult to avoid potentially offensive or illicit content.Again, unlike traditional URLS, participants said it is hard to determine through a glance at the address bar if a site is the authentic one you are trying to reach instead of a phishing site.A frequent wish expressed by participants was for a better search engine that is more up to date and gives an indication of the content before one clicks on the link as well as authenticity of the site itself.Tracking and Saving links: To track and save complicated onion domains, many participants opted to bookmark links but some did not want to leave a trace of websites they visited on their machines. The majority of other survey respondents had ad-hoc measures to deal with onion links. Some memorized a few links and did so to protect privacy by not writing the links down. However, this was only possible for a few vanity domains in most cases. Others just navigated to the places where they found the links in the first place and used the links from there to open the websites they needed.Third, onion domains are also hard to verify as authentic. Vanity domains: Users appreciated vanity domains where onion services operators have taken extra effort and expense to set up a domain that is almost readable such as the case of Facebook’s onion site, facebookcorewwwi.onion. Many participants liked the fact that vanity domains give more indication of the content of the domain. However, our participants also felt vanity domains could lead to more phishing attacks since people would not try to verify the entire onion domain but only the readable prefix. “We also get false expectations of security from such domains. Somebody can generate another onion key with same facebookcorewwwi address. It’s hard but may be possible. People who believe in uniqueness of generated characters, will be caught and impersonated.” – Participant S494Verification Strategies: Our participants had a variety of strategies such as cutting and pasting links, using bookmarks, or verifying the address in the address bar to check the authenticity of a website. Some checked for a valid HTTPS certificate or familiar images in the website. However, a over a quarter of our survey respondents reported that they could not tell if a site was authentic (28%) and 10% did not even check for authenticity at all. Some lamented this is innate to the design of onion services and that there is not real way to tell if an onion service is authentic epitomized by a quote from Participant P1: “I wouldn’t know how to do that, no. Isn’t that the whole point of onion services? That people can run anonymous things without being able to find out who owns and operates them?”Fourth, onion lookups suggest typos or phishing. In our DNS dataset, we found similarities between frequently visited popular onion sites such as Facebook’s onion domain and similar significantly less frequently visited websites, suggesting users were making typos or potentially that phishing sites exist. Of the top 20 onion domains we encountered in our data set, 16 were significantly similar to at least one other onion domain in the data set. More details are available in the paper.What do these findings mean for Tor and onion services? Tor and onion services do have a part to play in helping users to protect their anonymity and privacy for reasons other than those usually associated with a “nefarious” dark web such as support for those overcoming censorship, stalking, and exposing others’ wrong-doing or whistleblowing. However, to better support these uses of Tor and onion services, our users wanted onion service improvements. Desired improvements included more support for Tor in general in browsers, improvement in performance, improved privacy and security, educational resources on how to use Tor and onion services, and finally improved onion services search engines. Our results suggest that to enable more users to make use of onion services, users need:better security indicators to help them understand Tor and onion services are working correctlyautomatic detection of phishing in onion servicesopt in publishing of onion domains to improve search for legitimate and legal contentbetter ways to track and save onion links including privacy preserving onion bookmarking.Future studies to further demystify the dark web are warranted and in our paper we make suggestions for more work to understand the positive aspects of the dark web and how to support privacy protections for everyday users.You can read more about our study and its limitations here (such as the fact our participants were self-selected and may not represent those who do use the dark web for illicit activities for instance) or skim the paper summary.